Nexus 3 security communications and security headers


#1

Hello!

I’m going to run the sonatype / nexus3 image in docker and I’d like to know if Nexus comply with the following security communications?

  • TLS 1.2 or higher?
  • With the following ciphers:
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256?
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384?
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256?
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384?
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256?
    • TTLS_DHE_RSA_WITH_AES_256_GCM_SHA384?
  • Does nexus have this or more ciphers?

I would also like to know if the nexus comply with the following security headers?

  • HTTP::header insert “X-FRAME-OPTIONS” “SAMEORIGIN”?
  • HTTP::header insert Strict-Transport-Security “max-age=31536000”?
  • HTTP::header insert “Pragma” “no-cache”?
  • HTTP::header insert “Expires” “0”?
  • HTTP::header insert “Set-Cookie” “${set_cookie_header}; HttpOnly”?
  • HTTP::header insert “Set-Cookie” “${set_cookie_header}; Secure”?
  • HTTP::header insert “X-Content-Type-Options” "nosniff”?
  • HTTP::header insert “X-XSS-Protection” "1; mode=block”?
  • HTTP::header insert " Content-Security-Policy"?
  • HTTP::header insert " Referrer-Policy"?
  • HTTP::header insert " Public-Key-Pins"?

Thanks